Child Item

Refresh token not valid

I'm building a Flask app that sends files users post on their account to a shared Dropbox folder. It works fine with these short-lived 4-hour tokens, but as I prepare to move to deployment I need a longer-lasting token. I got a refresh token but when I try to use it I get an invalid token exception. I did the following:

1. Used my browser to load the following, with my app key inserted.

https://www.dropbox.com/oauth2/authorize?client_id=APPKEYHERE&response_type=code&token_access_type=offline

2. Authorized the request in the browser, got back the access code.

3. Ran the following, inserting the code I just got in the previous step, as well as my app key and app secret:

curl https://api.dropbox.com/oauth2/token \
    -d code=CODE_I_JUST_GOT_FROM_BROWSER \
    -d grant_type=authorization_code \
    -u APPKEYHERE:APPSECRETHERE

This returned what I expect—a dictionary with access token (the short-lived one starting with `sl.`), some account and permission info, and the `refresh_token`. When I use the short lived token it works (until expiration) but the refresh token gives me an error. What am I doing incorrectly? I've done the above process a couple of times now with no luck.

Find more posts tagged with

API

Abuse

Comments

Здравко

Hi @MightyModest,

You are doing well initial authorization steps! 😉 So, you already have all needed to be able perform regular API calls. The API calls accept access tokens only, NOT refresh token!!! That's where start your errors. First, don't try replace the access token with refresh token - as you know already it doesn't work. Second as "refresh token" name suggest, it's a token to refresh the access token and can't be used for something else. 😉 By the way... 🤔 have you refreshed the access token once the initial one got expire? Ohh... 🤫 seems not! Try it - may work. 😉 Take a look here for a more complete example.

Hope this helps.

MightyModest

Thanks for clarifying on the refresh token. I think my confusion is about how to implement a Python-specific way of using that refresh token to constantly grab a new short-lived token. Right now my app does the following (which works with a short-lived token in my environmental variables):

import dropbox

client = dropbox.Dropbox(dropbox_access_token)
uploaded = client.files_upload(open(local_file_path, "rb").read(), dropbox_path)
shared_link = client.sharing_create_shared_link(dropbox_path)

I've searched for an example of how I can programmatically (I imagine via a cron job that runs more frequently than the four hour expiration time) use my refresh token to update `dropbox_access_token` above. I'm sure there's a code example but I just can't find it, likely because I'm not using the right terminology.

Здравко

@MightyModest wrote:
... I think my confusion is about how to implement a Python-specific way of using that refresh token to constantly grab a new short-lived token. ... I've searched for an example of how I can programmatically (I imagine via a cron job that runs more frequently than the four hour expiration time) use my refresh token to update `dropbox_access_token` above. ...

😀 No, you will not find such a example and it's not need while using any of Dropbox supported SDKs (including Python). Refresh is performed by the client object internally whenever needed - on demand. The only thing you need is to provide full credentials (including refresh token), so refresh to be possible. 😉 Take a look here for a something like very simple example. Don't try perform refresh yourself; in such a way you will double existing code - something meaningless. Ahh.. it's still possible of course...

Good luck.

Greg-DB

@MightyModest As Здравко noted, if you're using an official Dropbox SDK, you don't need to implement the refresh process yourself. The SDK will do that for you automatically as long as you provide the necessary credentials. For reference, in the PKCE example Здравко linked to, only the refresh token and app key is required. If you're not using PKCE to retrieve the refresh token initially though, you'll need to also supply the app secret, as in this example.